Conditions

Though the response by itself does not provide any way to compromise the device, this behavior discloses potentially valuable information about the internal network structure.

The disclosed address is not the address of the AXG or WAF, it is an address of its client, which in many cases is a load balancer.

The Internal IP address is included in the message-handling errors response if AXG or WAF was not able to find a matching handler for the request.

Workaround

There is currently no workaround for this vulnerability.

Further Problem Description

System software version 6.1 is expected to be available in November 2009.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.